Randomly, in a Federation Transaction, the Policy Server selects the
wrong User Store to authenticate the user, and as such, the user
being not found, it isn't authorized.
I've been observing this issue for a long time.
2 UDs which are mixed up, are using the same servers just
a different root is set;
Policy Server 12.5CR02 on RedHat 5 64bit;
This issue is caused by a flaw in the directory key mapping for
defining the User Stores. This is fixed in Policy Server 12.52.
Note that this issue is only be related to DNS names in that sense
that the DirectoryMap is using the LDAP server name in 12.5.
The Keys from this mapping are defined from the LDAP Directory
namespace and server name. The fix modifies this. Policy Server
uses User Directory Name (Name given in AdminUI) instead of the
As Work Around set all ldap servers FQDN aliases in the /etc/hosts file on the Policy
Server and AdminUI, and then configure with the AdminUI
the ldap server listed in your User Store definition
(with loadbalancing and failover) according to the aliases
you've put in the /etc/hosts file;
This will solve the issue.